Java _选择_订单、orderby、ORDER）不应该是“按%s%s从表顺序中选择名称、id、xyz”然后选择String.format（SQL\u SELECT\u ORDER、orderby、ORDER） SELECT name, id, xyz FROM

_选择_订单、orderby、ORDER）不应该是

“按%s%s从表顺序中选择名称、id、xyz”

然后选择

String.format（SQL\u SELECT\u ORDER、orderby、ORDER）
SELECT name, id, xyz FROM table ORDER BY ?

ps.setString(1, "xyz");

SELECT name, id, xyz FROM table ORDER BY 'xyz'

SELECT name, id, xyz FROM table ORDER BY 'xyz'

ps.setInteger(1, 3);

private static final String SQL_SELECT_ORDER = "SELECT name, id, xyz FROM table ORDER BY %s";

...

public List<Data> list(boolean ascending) {
    String order = ascending ? "ASC" : "DESC";
    String sql = String.format(SQL_SELECT_ORDER, order);
    ...

private static final String SQL_SELECT_IN = "SELECT name, id, xyz FROM table WHERE id IN (%s)";

...

public List<Data> list(Set<Long> ids) {
    String placeHolders = generatePlaceHolders(ids.size()); // Should return "?,?,?..."
    String sql = String.format(SQL_SELECT_IN, placeHolders);
    ...
    DAOUtil.setValues(preparedStatement, ids.toArray());
    ...

SELECT name, id, xyz FROM table ORDER BY 'xyz'

pulbic List<Object> getAllTableWithOrder(String order_field, String order_direction) {
    String sql = "select * from table order by ? ?";
    //add connection here

    PreparedStatement ps = (PreparedStatement) conn.prepareStatement(sql);
    ps.setString(1,order_field);
    ps.setString(2,order_direction);

    logger.info(String.valueOf(ps)); //returns something like: com.mysql.jdbc.JDBC4PreparedStatement@a0ff86: select * from table order by 'id' 'desc'

    String sqlb = String.valueOf(ps);
    String sqlc = sqlb.replace("'"+order_field+"'", order_field);
    String sqld = sqlc.replace("'"+order_direction+"'", order_direction);

    String[] normQuery = sqld.split(":");

    ResultSet result = conn.createStatement().executeQuery(normQuery[1]);

    while(result.next()) { 
        //iteration
    }

}